b' DEPARTMENT OF HOMELAND SECURITY\n\n      Office of Inspector General\n\n\n  Evaluation of DHS\xe2\x80\x99 Security Program and Practices For\n                 Its Intelligence Systems\n\n\n               Unclassified Summary\n\n\n\n\n          Office of Information Technology\n\n\n\nOIG-06-13                            December 2005\n\x0c                                                                       Office of Inspector General\n\n                                                                       U.S. Department of Homeland Security\n                                                                       Washington, DC 20528\n\n\n\n\n                               Office of Inspector General\n      Evaluation of DHS\xe2\x80\x99 Security Program and Practices For Its Intelligence Systems\n                                        OIG-06-13\n_________________________________________________________________________________\n\nWe conducted an evaluation of DHS\xe2\x80\x99 information assurance posture, including its policies and\nprocedures, for the intelligence systems under the department\xe2\x80\x99s purview. We performed our work\nfrom May through September 2005, at both the program and organizational component levels. Our\nevaluation focused on DHS\xe2\x80\x99 compliance with the Federal Information Security Management Act of\n2002 for its intelligence systems in operation as of May 1, 2005, and containing Top Secret/Sensitive\nCompartmented Information (TS/SCI).\n\nThe overall objective of our evaluation was to identify whether DHS\xe2\x80\x99 information security program\nand practices for its intelligence systems are adequate and effective in protecting TS/SCI information\nfrom unauthorized access, use, disclosure, disruption, modification, or destruction. Our assessment\nincluded five intelligence community-wide weakness areas that were previously identified by the\nIntelligence Community Chief Information Officer (IC CIO), and three additional areas that the IC\nCIO asked Offices of Inspector General to assess as part of their Fiscal Year 2005 review. As part of\nour evaluation, we also determined whether system security controls were adequate and effective for\na sample of eight intelligence systems based upon the requirements in Director of Central\nIntelligence Directive 6/3, Protecting Sensitive Compartmented Information Within Information\nSystems. Additionally, we conducted system security vulnerability assessments for a subset of six of\nthe eight intelligence systems included in our review. Furthermore, we evaluated DHS\xe2\x80\x99 Plan of\nAction and Milestones (POA&M) process for its intelligence systems and followed up on previous\nrecommendations discussed with DHS.\n\nWe recommended that DHS establish a single, comprehensive, and inclusive information security\nprogram for its intelligence systems in order to: (1) address the issues identified; (2) provide\nadequate security for the information and information systems that support intelligence operations\nand assets; and (3) ensure the confidentiality, integrity, and availability of vital intelligence\ninformation. Both DHS\xe2\x80\x99 Office of Security and Assistant Secretary for Information Analysis\nconcurred with our recommendation and have begun taking actions to address the issues identified.\n\x0cAdditional Information and Copies\n\nTo obtain additional copies of this report, call the Office of Inspector General\n(OIG) at (202) 254-4100, fax your request to (202) 254-4285, or visit the OIG\nweb site at www.dhs.gov/oig.\n\nOIG Hotline\n\nTo report alleged fraud, waste, abuse or mismanagement, or any other kind\nof criminal or noncriminal misconduct relative to department programs or\noperations, call the OIG Hotline at 1-800-323-8603; write to DHS Office of\nInspector General/MAIL STOP 2600, Attention: Office of Investigations \xe2\x80\x93\nHotline, 245 Murray Drive, SW, Building 410, Washington, DC 20528; fax\nthe complaint to (202) 254-4292; or email DHSOIGHOTLINE@dhs.gov. The\nOIG seeks to protect the identity of each writer and caller.\n\x0c'